7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 03:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
Size

60KB
MD5

13f9a0a94e67d51f5cb576ecd70a3330
SHA1

d01e658c4ce97b89d71f95aeb56ba9e7a7a44a75
SHA256

7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf
SHA512

1a7e8996badebf786d1ae839daafc94746de8ad1fc0ac7f70ea90535d8b6de4cbac1ef133b33b82edf1f58f6dd1133f90bb8f4cc8ea6cbb16a10304c68134bbe
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLrod4/CFsrdHWMZo:vvw9816vhKQLrod4/wQpWMZo

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C646EDF-D9A3-469c-9F4F-25659370B87A}	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889FACE7-8A9B-4645-AEE1-9652480E8744}\stubpath = "C:\\Windows\\{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe"	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B793872B-158D-4058-8E69-624829988E8B}	{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B793872B-158D-4058-8E69-624829988E8B}\stubpath = "C:\\Windows\\{B793872B-158D-4058-8E69-624829988E8B}.exe"	{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E111ED4-59F3-48f9-8781-9168C400D368}\stubpath = "C:\\Windows\\{3E111ED4-59F3-48f9-8781-9168C400D368}.exe"	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}\stubpath = "C:\\Windows\\{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe"	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}	{A69F6087-B306-4b42-897E-FC13EC706837}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}\stubpath = "C:\\Windows\\{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}.exe"	{B793872B-158D-4058-8E69-624829988E8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A69F6087-B306-4b42-897E-FC13EC706837}\stubpath = "C:\\Windows\\{A69F6087-B306-4b42-897E-FC13EC706837}.exe"	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}\stubpath = "C:\\Windows\\{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe"	{A69F6087-B306-4b42-897E-FC13EC706837}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}\stubpath = "C:\\Windows\\{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}.exe"	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}	{B793872B-158D-4058-8E69-624829988E8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E111ED4-59F3-48f9-8781-9168C400D368}	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A69F6087-B306-4b42-897E-FC13EC706837}	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5273D1A1-D6C3-411f-8485-A40AC71116B3}	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5273D1A1-D6C3-411f-8485-A40AC71116B3}\stubpath = "C:\\Windows\\{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe"	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C646EDF-D9A3-469c-9F4F-25659370B87A}\stubpath = "C:\\Windows\\{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe"	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{889FACE7-8A9B-4645-AEE1-9652480E8744}	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11AD09F6-86AA-4e78-9897-B5C55E247C70}	{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11AD09F6-86AA-4e78-9897-B5C55E247C70}\stubpath = "C:\\Windows\\{11AD09F6-86AA-4e78-9897-B5C55E247C70}.exe"	{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}.exe

Deletes itself 1 IoCs

pid	Process
3004	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1672	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe
2504	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe
2632	{A69F6087-B306-4b42-897E-FC13EC706837}.exe
2892	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe
2668	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe
1776	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe
2268	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe
2468	{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}.exe
2052	{B793872B-158D-4058-8E69-624829988E8B}.exe
536	{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}.exe
1404	{11AD09F6-86AA-4e78-9897-B5C55E247C70}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{11AD09F6-86AA-4e78-9897-B5C55E247C70}.exe	{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}.exe
File created	C:\Windows\{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe
File created	C:\Windows\{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe	{A69F6087-B306-4b42-897E-FC13EC706837}.exe
File created	C:\Windows\{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe
File created	C:\Windows\{B793872B-158D-4058-8E69-624829988E8B}.exe	{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}.exe
File created	C:\Windows\{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}.exe	{B793872B-158D-4058-8E69-624829988E8B}.exe
File created	C:\Windows\{3E111ED4-59F3-48f9-8781-9168C400D368}.exe	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
File created	C:\Windows\{A69F6087-B306-4b42-897E-FC13EC706837}.exe	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe
File created	C:\Windows\{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe
File created	C:\Windows\{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe
File created	C:\Windows\{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}.exe	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2240	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
Token: SeIncBasePriorityPrivilege	1672	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe
Token: SeIncBasePriorityPrivilege	2504	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe
Token: SeIncBasePriorityPrivilege	2632	{A69F6087-B306-4b42-897E-FC13EC706837}.exe
Token: SeIncBasePriorityPrivilege	2892	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe
Token: SeIncBasePriorityPrivilege	2668	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe
Token: SeIncBasePriorityPrivilege	1776	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe
Token: SeIncBasePriorityPrivilege	2268	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe
Token: SeIncBasePriorityPrivilege	2468	{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}.exe
Token: SeIncBasePriorityPrivilege	2052	{B793872B-158D-4058-8E69-624829988E8B}.exe
Token: SeIncBasePriorityPrivilege	536	{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 1672	2240	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 1672	2240	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 1672	2240	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 1672	2240	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	28
PID 2240 wrote to memory of 3004	2240	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 3004	2240	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 3004	2240	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	29
PID 2240 wrote to memory of 3004	2240	7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe	29
PID 1672 wrote to memory of 2504	1672	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe	30
PID 1672 wrote to memory of 2504	1672	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe	30
PID 1672 wrote to memory of 2504	1672	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe	30
PID 1672 wrote to memory of 2504	1672	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe	30
PID 1672 wrote to memory of 2540	1672	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe	31
PID 1672 wrote to memory of 2540	1672	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe	31
PID 1672 wrote to memory of 2540	1672	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe	31
PID 1672 wrote to memory of 2540	1672	{3E111ED4-59F3-48f9-8781-9168C400D368}.exe	31
PID 2504 wrote to memory of 2632	2504	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe	32
PID 2504 wrote to memory of 2632	2504	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe	32
PID 2504 wrote to memory of 2632	2504	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe	32
PID 2504 wrote to memory of 2632	2504	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe	32
PID 2504 wrote to memory of 2692	2504	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe	33
PID 2504 wrote to memory of 2692	2504	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe	33
PID 2504 wrote to memory of 2692	2504	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe	33
PID 2504 wrote to memory of 2692	2504	{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe	33
PID 2632 wrote to memory of 2892	2632	{A69F6087-B306-4b42-897E-FC13EC706837}.exe	36
PID 2632 wrote to memory of 2892	2632	{A69F6087-B306-4b42-897E-FC13EC706837}.exe	36
PID 2632 wrote to memory of 2892	2632	{A69F6087-B306-4b42-897E-FC13EC706837}.exe	36
PID 2632 wrote to memory of 2892	2632	{A69F6087-B306-4b42-897E-FC13EC706837}.exe	36
PID 2632 wrote to memory of 1844	2632	{A69F6087-B306-4b42-897E-FC13EC706837}.exe	37
PID 2632 wrote to memory of 1844	2632	{A69F6087-B306-4b42-897E-FC13EC706837}.exe	37
PID 2632 wrote to memory of 1844	2632	{A69F6087-B306-4b42-897E-FC13EC706837}.exe	37
PID 2632 wrote to memory of 1844	2632	{A69F6087-B306-4b42-897E-FC13EC706837}.exe	37
PID 2892 wrote to memory of 2668	2892	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe	38
PID 2892 wrote to memory of 2668	2892	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe	38
PID 2892 wrote to memory of 2668	2892	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe	38
PID 2892 wrote to memory of 2668	2892	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe	38
PID 2892 wrote to memory of 2260	2892	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe	39
PID 2892 wrote to memory of 2260	2892	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe	39
PID 2892 wrote to memory of 2260	2892	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe	39
PID 2892 wrote to memory of 2260	2892	{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe	39
PID 2668 wrote to memory of 1776	2668	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe	40
PID 2668 wrote to memory of 1776	2668	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe	40
PID 2668 wrote to memory of 1776	2668	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe	40
PID 2668 wrote to memory of 1776	2668	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe	40
PID 2668 wrote to memory of 1520	2668	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe	41
PID 2668 wrote to memory of 1520	2668	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe	41
PID 2668 wrote to memory of 1520	2668	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe	41
PID 2668 wrote to memory of 1520	2668	{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe	41
PID 1776 wrote to memory of 2268	1776	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe	42
PID 1776 wrote to memory of 2268	1776	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe	42
PID 1776 wrote to memory of 2268	1776	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe	42
PID 1776 wrote to memory of 2268	1776	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe	42
PID 1776 wrote to memory of 1452	1776	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe	43
PID 1776 wrote to memory of 1452	1776	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe	43
PID 1776 wrote to memory of 1452	1776	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe	43
PID 1776 wrote to memory of 1452	1776	{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe	43
PID 2268 wrote to memory of 2468	2268	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe	44
PID 2268 wrote to memory of 2468	2268	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe	44
PID 2268 wrote to memory of 2468	2268	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe	44
PID 2268 wrote to memory of 2468	2268	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe	44
PID 2268 wrote to memory of 1128	2268	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe	45
PID 2268 wrote to memory of 1128	2268	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe	45
PID 2268 wrote to memory of 1128	2268	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe	45
PID 2268 wrote to memory of 1128	2268	{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe	45

C:\Users\Admin\AppData\Local\Temp\7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\7a75b1cc92be07d39bb5ac9464f8937151297eca335a43b00049331662c67bcf_NeikiAnalytics.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\{3E111ED4-59F3-48f9-8781-9168C400D368}.exe
  C:\Windows\{3E111ED4-59F3-48f9-8781-9168C400D368}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe
    C:\Windows\{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\{A69F6087-B306-4b42-897E-FC13EC706837}.exe
      C:\Windows\{A69F6087-B306-4b42-897E-FC13EC706837}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe
        
        C:\Windows\{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
      - C:\Windows\{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe
        
        C:\Windows\{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe
        
        C:\Windows\{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe
        
        C:\Windows\{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}.exe
        
        C:\Windows\{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\{B793872B-158D-4058-8E69-624829988E8B}.exe
        
        C:\Windows\{B793872B-158D-4058-8E69-624829988E8B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}.exe
        
        C:\Windows\{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\{11AD09F6-86AA-4e78-9897-B5C55E247C70}.exe
        
        C:\Windows\{11AD09F6-86AA-4e78-9897-B5C55E247C70}.exe
        12⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{074E7~1.EXE > nul
        12⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7938~1.EXE > nul
        11⤵
        
        PID:444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E64A~1.EXE > nul
        10⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{889FA~1.EXE > nul
        9⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C646~1.EXE > nul
        8⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5273D~1.EXE > nul
        7⤵
        
        PID:1520
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40BB4~1.EXE > nul
        6⤵
        
        PID:2260
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A69F6~1.EXE > nul
        5⤵
        
        PID:1844
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3AF9C~1.EXE > nul
      4⤵
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3E111~1.EXE > nul
    3⤵
    PID:2540
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7A75B1~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{074E7E26-EEB6-4f6e-B0E1-CD31A42A79E0}.exe

Filesize
60KB

MD5
8214c72de5fb53e99bb73b72b2e4cc80

SHA1
158897f7b429d2939627e23d0f55a4eb634ed631

SHA256
556de1647d462a00ddb65181ac24b960c890837f4981cec9f02e66465e79539e

SHA512
130f7693876de30821af9e4a75ba7619bb64942ff61fb320077360ba3120255b9398ef9b5a324dba695c9addce99fffa3450a049b70a650fa91a2caf5857ab21

Download Submit
C:\Windows\{11AD09F6-86AA-4e78-9897-B5C55E247C70}.exe

Filesize
60KB

MD5
6b3d251385346e06670259e73f648091

SHA1
88ea90d2f169dca743087119843f8ffea3797083

SHA256
39fd3094045fc60bba8d5a6f68179cf3ece7d3041478d982787253435b134763

SHA512
d725f523a6f156b911fd6a6372dea3d9c313f3085fd156b9d50ffb5878a0ef3502d3e00ad5b59faa9cf757206e4bfcb098430ec66e0cce7f4fd83401f5d544a0

Download Submit
C:\Windows\{3AF9CEB0-0934-4b70-B3BC-788CBDB93A96}.exe

Filesize
60KB

MD5
57dba73ffce80ddce1f3c6d82712e3b4

SHA1
4fc0a32c940db2fbe871a503b7ecd7a627aec65c

SHA256
8ea971ae72caacad56d467a195b52c142c5f1f74a46b31d0b8f2166b5656ea9e

SHA512
79c94bd08db8dc0c42886060629cdad0e533327e9f0fb720a12ed470446fd8d19177d9d1aac950549a1a45e59f87f0feeec61707978a171ee115365924ab39ab

Download Submit
C:\Windows\{3C646EDF-D9A3-469c-9F4F-25659370B87A}.exe

Filesize
60KB

MD5
8314e8e0c3f599c5e602c3e5938a48fa

SHA1
7245e0de32e7c9514a3230d852e88534792f1f38

SHA256
919d21a0cd04898cbcf966c92c4251092278a90ddc3ccba067c4317c2ed2179e

SHA512
d3d87e5f8736d20ee4c5ea3f963f1a47c48b514aa60f0c821f1b34046ca2208def3a63eb3b02a61630011365ff5e50fdaa066926f1bd8cf8685befdd0d22b6c1

Download Submit
C:\Windows\{3E111ED4-59F3-48f9-8781-9168C400D368}.exe

Filesize
60KB

MD5
182454c76fc4fed2f62f2720872674c6

SHA1
1d6d6b0d052e358caf2fca9124273590ab8f9fca

SHA256
b58f0463a6712e41a49d86e09a95ed63f0c6ceb687f55baa37fc46b643c36d1c

SHA512
73bd885fa14300aff9eb7335a7d9b93d06420c383f270461f0d2e5d4f64f7f3c367c5959ec1eeca05b429d547de7cb6373fa1dce0a89c8cce4ebe56815fb0660

Download Submit
C:\Windows\{40BB4259-C01C-414d-B3B3-3B1C3125B5A3}.exe

Filesize
60KB

MD5
f5b6e61c0d45e07d305cecea4c1a010f

SHA1
b1db5eb15a789c241e20eee82d69757eeda347ce

SHA256
c741cf24b390b4dbb536c5f691867c13e8291f64c4ed72c1b4f39ac886d1a01c

SHA512
ddbf9ece699b415bbb3f1dc9741e15affb40b291d35dc36da65a354e9ea2f680693736534a384184cb13520b371b5680ba47232d22772320121ff5116b4350b1

Download Submit
C:\Windows\{5273D1A1-D6C3-411f-8485-A40AC71116B3}.exe

Filesize
60KB

MD5
8c009092025f69cec372fadd6040f41b

SHA1
2167ab8e16a50e4a585f15a34fa0ee46ebf9158d

SHA256
cb5da8ba254ad44d8e14dda1768d045d63e4fa70f5254c18ed3f7c201a360412

SHA512
4d49afe43435e4218c089510dc0fb2d53206265e66601f7475fdb46105fb7ea050b662288fa6494720a7cc65102d3a1429fea9f5b76edf6a94925c4d6e41caf2

Download Submit
C:\Windows\{889FACE7-8A9B-4645-AEE1-9652480E8744}.exe

Filesize
60KB

MD5
df46cc9638dbec9406e88d8596bedeb3

SHA1
4201f888c1797f41ce15d4d406b4afd23ffdf1b7

SHA256
ba996f7ab237458b3362db2c2576f53197210ac5fdf17efb68b7052ad9e53045

SHA512
cdb94ceddb1414405b7868a9ca747753e53c98bb4d8d7647003ddd5a6f5d93f0d35faa33264cef76db78048ba520d8876224d08577a3042eb0c76a95259618d1

Download Submit
C:\Windows\{9E64AD77-2C2C-4cd5-BD23-3F65FF4318C1}.exe

Filesize
60KB

MD5
d7d23658be15e858eb5b0a4b50e49c50

SHA1
b7145947be0f7c47a66a157b9959cba7e3d5ad76

SHA256
eeb9d4d594dcb36b87a32f57f3bc251ce7314c936991d6d5cd3f546b1ff0173f

SHA512
51fbfe66e421b7c32ad464f138a8dcdb770a6f984ef461dd3f4cb90c8db4c8fcf9b188487bf81063d97866144a1922d1e7f57bfbc48e593d930f9070b69e3cbf

Download Submit
C:\Windows\{A69F6087-B306-4b42-897E-FC13EC706837}.exe

Filesize
60KB

MD5
72b9f64708341adc154ab7edc6c1f0f3

SHA1
117b8abeb409311211caf8e32a6350a98250d7a4

SHA256
af1e1b3511465193059d957fcd0193b2cc674f906ea4c90ae23177b1264d4131

SHA512
a0570b1cc4fdd71f13cc08a4508ed8de90089123a30f916d1299378ebc67bb87fca63419030523e4e2bcbdd60e84479427b08b751a604d31e7e02df9dd791c56

Download Submit
C:\Windows\{B793872B-158D-4058-8E69-624829988E8B}.exe

Filesize
60KB

MD5
4084c6713ec2da1befb3b193191b472c

SHA1
270e7b029db32051dbc5cca5a4969c3e3236e8e9

SHA256
8427222c4e8935715932b8c086326ba42aea0b075c84e96c0f7de5cb61e76e3c

SHA512
02811be7e1c5c04914f2727d1b20694193270f61cbee31b0326d35f6ec2dd9d79a13fe1a7ddeb6ac0ad9050e757a150b153957ac0a7d7938ddde935891ac49e8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads